The following is quoted from the version of the page dated: February 12, 2002 (16:57 EST).

Appendix A. - Vendor Information
This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.

AdventNet

This is in reference to your notification regarding [VU#107186 and VU#854306] and OUSPG#0100. AdventNet Inc. has reproduced this behavior in their products and coded a Service Pack fix which is currently in regression testing in AdventNet Inc.'s Q.A. organization. The release of AdventNet Inc's. Service Pack correcting the behavior outlined in VU#617947, and OUSPG#0100 is scheduled to be generally available to all of AdventNet Inc.'s customers by February 20, 2002.

Avaya

Avaya Inc. acknowledges the potential of SNMP vulnerabilities and is currently investigating whether these vulnerabilities impact Avaya's products or solutions. No further information is available at this time.

CacheFlow

The purpose of this email is to advise you that CacheFlow Inc. has provided a software update. Please be advised that updated versions of the software are now available for all supported CacheFlow hardware platforms, and may be obtained by CacheFlow customers at the following URL:
http://download.cacheflow.com/

A vulnerability to an SNMP packet with an invalid length community string has been resolved in the following products. Customers concerned about this weakness should ensure that they upgrade to the following agent versions:

PS Hub 40
2.16 is due Feb 2002

PS Hub 50
2.16 is due Feb 2002

Dual Speed Hub
2.16 is due Jan 2002

Switch 1100/3300
2.68 is available now

Switch 4400
2.02 is available now

Switch 4900
2.04 is available now

WebCache1000/3000
2.00 is due Jan 2002

Caldera

Caldera International, Inc. has reproduced faulty behavior in Caldera SCO OpenServer 5, Caldera UnixWare 7, and Caldera Open UNIX 8. We have coded a software fix for supported versions of Caldera UnixWare 7 and Caldera Open UNIX 8 that will be available from our support site at http://stage.caldera.com/support/security immediately following the publication of this CERT announcement. A fix for supported versions of OpenServer 5 will be available at a later date.

Cisco Systems

Cisco Systems is addressing the vulnerabilities identified by VU#854306 and VU#107186 across its entire product line. Cisco will publish a security advisory with further details at http://www.cisco.com/go/psirt/ .

Compaq Computer Corporation

x-ref: SSRT0779U SNMP
At the time of writing this document, COMPAQ continues to evaluate this potential problem and when new versions of SNMP are available, COMPAQ will implement solutions based on the new code. Compaq will provide notice of any new patches as a result of that effort through standard patch notification procedures and be available from your normal Compaq Services support channel.

Computer Associates

Computer Associates has confirmed Unicenter vulnerability to the SNMP advisory identified by CERT notification reference [VU#107186 & VU#854306] and OUSPG#0100. We have produced corrective maintenance to address these vulnerabilities, which is in the process of publication for all applicable releases / platforms and will be offered through the CA Support site. Please contact our Technical Support organization for information regarding availability / applicability for your specific configuration(s).

COMTEK Services, Inc.

NMServer for AS/400 is not an SNMP master and is therefore not vulnerable. However this product requires the use of the AS/400 SNMP master agent supplied by IBM. Please refer to IBM for statements of vulnerabilities for the AS/400 SNMP master agent.
NMServer for OpenVMS has been tested and has shown to be vulnerable. COMTEK Services is preparing a new release of this product (version 3.5) which will contain a fix for this problem. This new release is scheduled to be available in February 2002. Contact COMTEK Services for further information.

NMServer for VOS has not as yet been tested; vulnerability of this agent is unknown. Contact for further information on the testing schedule of the VOS product.

Covalent Technologies

Covalent Technologies has tested the Enterprise Ready Server, Managed Server, and Covalent Conductor SNMP module according to recommendations issued by CERT, and has found no security vulnerabilities associated with Advisory CA-2002-03.

Dartware, LLC

Dartware, LLC (www.dartware.com) supplies two products that use SNMPv1 in a manager role, InterMapper and SNMP Watcher. These products are not vulnerable to the SNMP vulnerability described in [VU#854306 and VU#107186]. This statement applies to all present and past versions of these two software packages.

DMH Software

DMH Software is in the process of evaluating and attempting to reproduce this behavior.

It is unclear at this point if our snmp-agent is sensitive to the tests described above.

If any problems will be discovered, DMH Software will code a software fix.

The release of DMH Software OS correcting the behavior outlined in VU#854306, VU#107186, and OUSPG#0100 will be generally available to all of DMH Software's customers as soon as possible.

EnGarde Secure Linux

EnGarde Secure Linux did not ship any SNMP packages in version 1.0.1 of our distribution, so we are not vulnerable to either bug.

The following is quoted from the version of the page dated: February 12, 2002 (16:57 EST).

FreeBSD

FreeBSD does not include any SNMP software by default, and so is not vulnerable. However, the FreeBSD Ports Collection contains the UCD-SNMP / NET-SNMP package. Package versions prior to ucd-snmp-4.2.3 are vulnerable. The upcoming FreeBSD 4.5 release will ship the corrected version of the UCD-SNMP / NET-SNMP package. In addition, the corrected version of the packages is available from the FreeBSD mirrors.
FreeBSD has issued the following FreeBSD Security Advisory regarding the UCD-SNMP / NET-SNMP package:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:09.snmp.asc .

---------------------------------------------------------
hp procurve switch 2524
---------------------------------------------------------
hp procurve switch 2525 (product J4813A) is vulnerable to some
issues, patches in process. Watch for the associated HP
Security Bulletin.
---------------------------------------------------------
NNM (Network Node Manager)
---------------------------------------------------------
Some problems were found in NNM product were related to
trap handling. Patches in process. Watch for the
associated HP Security Bulletin.
---------------------------------------------------------
JetDirect Firmware (Older versions only)
---------------------------------------------------------
ONLY some older versions of JetDirect Firmware are
vulnerable to some of the issues. The older firmware
can be upgraded in most cases, see list below.

JetDirect Firmware Version State
===============================

X.08.32 and higher NOT Vulnerable
X.21.00 and higher NOT Vulnerable

JetDirect Product Numbers that can be freely
upgraded to X.08.32 or X.21.00 or higher firmware.

================================================================
NOTE: The patches are labeled OV(Open View). However, the patches
are also applicable to systems that are not running Open View.
=================================================================

Any HP-UX 10.X or 11.X system running snmpd or snmpdm is vulnerable.
To determine if your HP-UX system has snmpd or snmpdm installed:

swlist -l file | grep snmpd

If a patch is not available for your platform or you cannot install
an available patch, snmpd and snmpdm can be disabled by removing their
entries from /etc/services and removing the execute permissions from
/usr/sbin/snmpd and /usr/sbin/snmpdm.

----------------------------------------------------------------
Still under investigation:
----------------------------------------------------------------

SNMP/iX (MPE/iX)

Hirschmann Electronics GmbH & Co. KG
Hirschmann Electronics GmbH & Co. KG supplies a broad range of networking products, some of which are affected by the SNMP vulnerabilities identified by CERT Coordination Center. The manner in which they are affected and the actions required to avoid being impacted by exploitation of these vulnerabilities, vary from product to product. Hirschmann customers may contact our Competence Center (phone +49-7127-14-1538, email: ans-support@nt.hirschmann.de) for additional information, especially regarding availability of latest firmware releases addressing the SNMP vulnerabilities.

IBM Corporation
Based upon the results of running the test suites we have determined that our version of SNMP shipped with AIX is NOT vulnerable.

Inktomi Corporation
Inktomi Corporation does not believe our CDS product is vulnerable. Vulnerability would stem from the use of SNMP Research software in the CDS product. However, SNMP Research has stated that their product Emanate, versions 15.x and higher, is not vulnerable. As Inktomi's CDS uses Emanate 15.3, we conclude that CDS is not vulnerable.

The "Router IP Console" releases prior to 3.3.0.407 are vulnerable. The release of "Router IP Console" correcting the behavior outlined in OUSPG#0100 is 3.3.0.407 and is already available on our site. Also, we will notify all our customers about this new release no later than March 5, 2002.

Juniper Networks
This is in reference to your notification regarding CAN-2002-0012 and CAN-2002-0013. Juniper Networks has reproduced this behavior and coded a software fix. The fix will be included in all releases of JUNOS Internet software built after January 5, 2002. Customers with current support contracts can download new software with the fix from Juniper's web site at http://www.juniper.net

Note: The behavior described in CAN-2002-0012 and CAN-2002-0013 can only be reproduced in JUNOS Internet software if "snmp traceoptions flag pdu" is enabled. Tracing of SNMP PDUs is generally not enabled in production routers.

Lantronix, Inc.

Lantronix is committed to resolving security issues with our products. The SNMP security bug you reported has been fixed in LRS firmware version B1.3/611(020123).

This problem does not affect default installations of the Domino Server. However, SNMP agents can be installed from the CD to provide SNMP services for the Domino Server (these are located in the /apps/sysmgmt/agents directory). The optional platform specific master and encapsulator agents included with the Lotus Domino SNMP Agents for HP-UX and Solaris have been found to be vulnerable. For those platforms, customers should upgrade to version R5.0.1 a of the Lotus Domino SNMP Agents, available for download from the Lotus Knowledge Base on the IBM Support Web Site (http://www.ibm.com/software/lotus/support/ ). Please refer to Document #191059, "Lotus Domino SNMP Agents R5.0.1a", also in the Lotus Knowledge Base, for more details.

LOGEC Systems Inc

The products from LOGEC Systems are exposed to SNMP only via HP OpenView. We do not have an implementation of SNMP ourselves. As such, there is nothing in our products that would be an issue with this alert.

Lucent

Lucent is aware of reports that there is a vulnerability in certain implementations of the SNMP (Simple Network Management Protocol) code that is used in data switches and other hardware throughout the telecom industry.

As soon as we were notified by CERT, we began assessing our product portfolio and notifying customers with products that might be affected.

Our 5ESS switch and most of our optical portfolio were not affected. Our core and edge ATM switches and most of our edge access products are affected, but we have developed, tested, and deployed fixes for many of those products to our customers. Fixes for the rest of the affected product portfolio will be available shortly.

We consider the security and reliability of our customers' networks to be one of our critical measures of success. We take every reasonable measure to ensure their satisfaction.

In addition, we are working with customers on ways to further enhance the security they have in place today.

The following is quoted from the version of the page dated: February 12, 2002 (16:57 EST).

Marconi

Marconi supplies a broad range of telecommunications and related products, some of which are affected by the SNMP vulnerabilities identified here. The manner in which they are affected and the actions required (if any) to avoid being impacted by exploitation of these vulnerabilities, vary from product to product. Those Marconi customers with support entitlement may contact the appropriate Technical Assistance Center (TAC) for additional information. Those not under support entitlement may contact their sales representative.

Microsoft Corporation

The Microsoft Security Response Center has investigated this issue, and provides the following information.

Summary:
All Microsoft implementations of SNMP v1 are affected by the vulnerability. The SNMP v1 service is not installed or running by default on any version of Windows. A patch is under way to eliminate the vulnerability. In the meantime, we recommend that affected customers disable the SNMP v1 service.

Details:
An SNMP v1 service ships on the CDs for Windows 95, 98, and 98SE. It is not installed or running by default on any of these platforms. An SNMP v1 is NOT provided for Windows ME. However, it is possible that Windows 98 machines which had the service installed and were upgraded would still have the service. Since SNMP is not supported for WinME, customers in this situation are urged to remove the SNMP service.
An SNMP v1 service is available on Windows NT 4.0 (including Terminal Server Edition) and Windows 2000 but is not installed or running by default on any of these platforms.Windows XP does not ship with an SNMP v1 service.

Remediation:
A patch is under way for the affected platforms, and will be released shortly. In the meantime, Microsoft recommends that customers who have the SNMP v1 service running disable it to protect their systems. Following are instruction for doing this:

Windows 95, 98 and 98SE:

In Control Panel, double-click Network.
On the Configuration tab, select Microsoft SNMP Agent from the list of installed components.
Click Remove
Check the following keys and confirm that snmp.exe is not listed.

Right-click on My Computer and select Manage
Click on Services and Applications, then on Services
Location SNMP on the list of services, then select it and click Stop.
Select Startup, and click Disabled.
Click OK to close the dialog, then close the Computer Management window.
For Windows NT 4.0 (including Terminal Server Edition):

Select Start, then Settings.
Select Control Panel, then click on the Services Icon
Locate SNMP on the list of services, then select it and click Stop.
Select Startup, and click Disabled.
Click OK to close the dialog, then close Control Panel
Windows 2000:
Right-click on My Computer and select Manage
Click on Services and Applications, then on Services
Location SNMP on the list of services, then select it and click Stop.
Select Startup, and click Disabled.
Click OK to close the dialog, then close the Computer Management window.

Multinet

MultiNet and TCPware customers should contact Process Software to check for the availability of patches for this issue. A couple of minor problems were found and fixed, but there is no security risk related to the SNMP code included with either product.

Netaphor

NETAPHOR SOFTWARE INC. is the creator of Cyberons for Java -- SNMP Manager Toolkit and Cyberons for Java -- NMS Application Toolkit, two Java based products that may be affected by the SNMP vulnerabilities identified here. The manner in which they are affected and the actions required (if any) to avoid being impacted by exploitation of these vulnerabilities, may be obtained by contacting Netaphor via email at info@netaphor.com Customers with annual support may contact support@netaphor.com directly. Those not under support entitlement may contact Netaphor sales: sales@netaphor.com or (949) 470 7955 in USA.

NetBSD
NetBSD does not ship with any SNMP tools in our 'base' releases. We do provide optional packages which provide various support for SNMP. These packages are not installed by default, nor are they currently provided as an install option by the operating system installation tools. A system administrator/end-user has to manually install this with our package management tools. These SNMP packages include:

netsaint-plugin-snmp-1.2.8.4 (SNMP monitoring plug-in for netsaint)
p5-Net-SNMP-3.60 (perl5 module for SNMP queries)
p5-SNMP-3.1.0 (Perl5 module for interfacing to the UCD SNMP library
p5-SNMP_Session-0.83 (perl5 module providing rudimentary access to remote SNMP agents)
ucd-snmp-4.2.1 (Extensible SNMP implementation) (conflicts with ucd-snmp-4.1.2)
ucd-snmp-4.1.2 (Extensible SNMP implementation) (conflicts with ucd-snmp-4.2.1)
We do provide a software monitoring mechanism called 'audit-packages', which allows us to highlight if a package with a range of versions has a potential vulnerability, and recommends that the end-user upgrade the packages in question.

Netscape Communications Corporation
Netscape continues to be committed to maintaining a high level of quality in our software and service offerings. Part of this commitment includes prompt response to security issues discovered by organizations such as the CERT® Coordination Center.

According to a recent CERT/CC advisory, The Oulu University Secure Programming Group (OUSPG) has reported numerous vulnerabilities in multiple vendor SNMPv1 implementations. These vulnerabilities may allow unauthorized privileged access, denial of service attacks, or unstable behavior.

We have carefully examined the reported findings, performing the tests suggested by the OUSPG to determine whether Netscape server products were subject to these vulnerabilities. It was determined that several products fell into this category. As a result, we have created fixes which will resolve the issues, and these fixes will appear in future releases of our product line. To Netscape's knowledge, there are no known instances of these vulnerabilities being exploited and no customers have been affected to date.

When such security warnings are issued, Netscape has committed to - and will continue to commit to - resolving these issues in a prompt and timely fashion, ensuring that our customers receive products of the highest quality and security.

NET-SNMP
All ucd-snmp version prior to 4.2.2 are susceptible to this vulnerability and users of versions prior to version 4.2.2 are encouraged to upgrade their software as soon as possible (http://www.net-snmp.org/download/). Version 4.2.2 and higher are not susceptible.

Network Associates
PGP is not affected, impacted, or otherwise related to this VU#.

Network Computing Technologies
Network Computing Technologies has reviewed the information regarding SNMP vulnerabilities and is currently investigating the impact to our products.

Nokia
This vulnerability is known to affect IPSO versions 3.1.3, 3.3, 3.3.1, 3.4, and 3.4.1. Patches are currently available for versions 3.3, 3.3.1, 3.4 and 3.4.1 for download from the Nokia website. In addition, version 3.4.2 shipped with the patch incorporated, and the necessary fix will be included in all future releases of IPSO.

We recommend customers install the patch immediately or follow the recommended precautions below to avoid any potential exploit.

If you are not using SNMP services, including Traps, simply disable the SNMP daemon to completely eliminate the potential vulnerability.

If you are using only SNMP Traps and running Check Point FireWall-1, create a firewall policy to disallow incoming SNMP messages on all appropriate interfaces. Traps will continue to work normally.

Nortel Networks
The CERT Coordination Center has issued a broad based alert to the technology industry, including Nortel Networks, regarding potential security vulnerabilities identified in the Simple Network Management Protocol (SNMP), a common networking standard. The company is working with CERT and other network equipment manufacturers, the U.S. Government, service providers, and software suppliers to assess and address this issue.

Novell
Novell ships SNMP.NLM and SNMPLOG.NLM with NetWare 4.x, NetWare 5.x and 6.0 systems. The SNMP and SNMPLOG vulnerabilities detected on NetWare are fixed and will be available through NetWare 6 Support Pack 1 & NetWare 5.1 Support Pack 4. Support packs are available at http://support.novell.com/tools/csp/

The following is quoted from the version of the page dated: February 12, 2002 (16:57 EST).

OpenBSD
OpenBSD does not ship SNMP code.

Qualcomm
WorldMail does not support SNMP by default, so customers who run unmodified installations are not vulnerable.

Redback Networks, Inc.
Redback Networks, Inc. has identified that the vulnerability in question affects certain versions of AOS software on the SMS 500, SMS 1800, and SMS 10000 platforms, and is taking the appropriate steps necessary to correct the issue.

Red Hat
RedHat has released a security advisory at

http://www.redhat.com/support/errata/RHSA-2001-163.html

with updated versions of the ucd-snmp package for all supported releases and architectures. For more information or to download the update please visit this page.

SGI
SGI acknowledges the SNMP vulnerabilities reported by CERT and is currently investigating. No further information is available at this time.

For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported IRIX operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list on http://www.sgi.com/support/security/.

SNMP Research International
The most recent releases (15.3.1.7 and above) of all SNMP Research products address the vulnerabilities identified in the following CERT vulnerability advisories:

VU#854306 (Multiple vulnerabilities in SNMPv1 request handling)
VU#107186 (Multiple vulnerabilities in SNMPv1 trap handling)
A few of the malformed packets sent in these tests result in out of bound array references in allocated memory and minor memory leaks. No consequences, other than potential denial of service on some platforms, are known.

All customers who maintain a support contract have received either the new release or the appropriate patch sets to their 15.3.1.1 and later source code releases addressing these vulnerabilities. Users maintaining earlier releases should update to the current release if they have not already done so. Up-to-date information is available from support@snmp.com.

Stonesoft
Stonesoft's StoneGate product does not include an SNMP agent, and is therefore not vulnerable to this. Other Stonesoft's products are still under investigation. As further information becomes available, additional advisories will be available at

is affected by VU#854306 but not VU#107186. More specifically the main agent of SEA, snmpdx(1M), is affected on Solaris 2.6, 7, 8. Sun is currently generating patches for this issue and will be releasing a Sun Security Bulletin once the patches are available. The bulletin will be available from: http://sunsolve.sun.com/security. Sun patches are available from: http://sunsolve.sun.com/securitypatch .

Symantec Corporation
Symantec Corporation has investigated the SNMP issues identified by the OUSPG test suite and determined that Symantec products are not susceptible to these issues.

TANDBERG
Tandberg have run all the testcases found the PROTOS test-suite, c06snmpv1:

The tests were run with standard delay time between the requests (100ms), but also with a delay of 1ms. The tests applies to all TANDBERG products (T500, T880, T1000, T2500, T6000 and T8000). The software tested on these products were B4.0 (our latest software) and no problems were found when running the test suite.

Tivoli Systems
Our analysis indicates that this vulnerability does not affect the Tivoli NetView product.

Click to expand...

The above was quoted from the version of the page dated: February 12, 2002 (16:57 EST).